Problem with autofs and ldap

Problem with autofs and ldap

[rsmits-l]

Hello,

I have a very weird issue that maybe someone sounds familiar. I have 
placed our automount entry's in our Active Directory / LDAP. Problem is 
that is it not stable. After a restart of autofs I sometimes only see 
half of our map entry's. Sometimes 75 %.

When I do a autofs reload maybe 90 % of the time I see all entry's. I am 
having this issue on Redhat 6 and Suse 11. Strange thing is that the 
autofs logging (debug) shows always all the entry's but are not 
reflected in the filesystem structure.

This is my config :

/etc/sysconfig/autofs
----
LDAP_URI="ldap://srvxxx.domain.net/"
SEARCH_BASE="ou=LinuxAutoMount,ou=Resources,dc=domain,dc=net"
LDAP_TIMEOUT="100"
LDAP_NETWORK_TIMEOUT="100"
MAP_HASH_TABLE_SIZE=2048

/etc/autofs_ldap_auth.conf
----
<autofs_ldap_sasl_conf
      usetls="no"
      tlsrequired="no"
      authrequired="yes"
      authtype="GSSAPI"
      clientprinc="nfs/client01.domain.net@DOMAIN.NET"
/>

/etc/nsswitch.conf
----
automount:    files ldap

Greetings, Richard Smits
-- 
R. (Richard) Smits
Systeembeheerder

TU Delft / Shared Service centre ICT
Landbergstraat 15, 2628CE Delft
Kamer: C-2-520
Postbus 354, 2600AJ Delft
T +31 (0)15 27 87312
F +31 (0)15 27 83787
E r.smits@tudelft.nl
I www.ssc-ict.tudelft.nl/pdc
aanwezig: maandag t/m donderdag

Re: Problem with autofs and ldap

[Ian Kent]

On 15/10/14 20:31, rsmits-l wrote:
> Hello,
>
> I have a very weird issue that maybe someone sounds familiar. I have
> placed our automount entry's in our Active Directory / LDAP. Problem is
> that is it not stable. After a restart of autofs I sometimes only see
> half of our map entry's. Sometimes 75 %.

That's odd if the map is actually being read, yes.
At one time autofs didn't do paged ldap reads so AD would only send one 
page which meant not all the entries would be read for larger maps.

>
> When I do a autofs reload maybe 90 % of the time I see all entry's. I am
> having this issue on Redhat 6 and Suse 11. Strange thing is that the
> autofs logging (debug) shows always all the entry's but are not
> reflected in the filesystem structure.

I can't remember now what gets logged for the ldap map reads so how have 
you established the read gets all the entries (and what rel6 version of 
autofs are you using)?

>
> This is my config :
>
> /etc/sysconfig/autofs
> ----
> LDAP_URI="ldap://srvxxx.domain.net/"
> SEARCH_BASE="ou=LinuxAutoMount,ou=Resources,dc=domain,dc=net"
> LDAP_TIMEOUT="100"
> LDAP_NETWORK_TIMEOUT="100"
> MAP_HASH_TABLE_SIZE=2048

OK, so BROWSE_MODE isn't set so it = yes by default and you expect the 
mount point directories within what are probably indirect mounts to be 
created or removed, as the case may be, correct?

But they aren't all being created (or removed)?

>
> /etc/autofs_ldap_auth.conf
> ----
> <autofs_ldap_sasl_conf
>       usetls="no"
>       tlsrequired="no"
>       authrequired="yes"
>       authtype="GSSAPI"
>       clientprinc="nfs/client01.domain.net@DOMAIN.NET"
> />

Don't think this makes any difference since if auth was failing I don't 
think you would get any entries.

>
> /etc/nsswitch.conf
> ----
> automount:    files ldap

This might make a difference, depending on what file maps exist, but we 
would need a debug log and map examples to reproduce the problem.

What about logging a bug against rhel-6 and working on it there.

Ian

Re: Problem with autofs and ldap

[rsmits-l]

On 10/17/2014 10:51 AM, Ian Kent wrote:
> On 15/10/14 20:31, rsmits-l wrote:
>> Hello,
>>
>> I have a very weird issue that maybe someone sounds familiar. I have
>> placed our automount entry's in our Active Directory / LDAP. Problem is
>> that is it not stable. After a restart of autofs I sometimes only see
>> half of our map entry's. Sometimes 75 %.
>
> That's odd if the map is actually being read, yes.
> At one time autofs didn't do paged ldap reads so AD would only send one
> page which meant not all the entries would be read for larger maps.
>

Yes, the paged ldap story crossed my screen when I was googling for this 
problem.

>>
>> When I do a autofs reload maybe 90 % of the time I see all entry's. I am
>> having this issue on Redhat 6 and Suse 11. Strange thing is that the
>> autofs logging (debug) shows always all the entry's but are not
>> reflected in the filesystem structure.
>
> I can't remember now what gets logged for the ldap map reads so how have
> you established the read gets all the entries (and what rel6 version of
> autofs are you using)?

The read gets all the entry's but just doesn't show it in the directory 
structure. I am having this issue on Redhat 6.5 (autofs 5.0.5-89)

On Suse Enterprise Desktop 11.3 : (autofs-5.0.6-3.10.16.1)

>
>>
>> This is my config :
>>
>> /etc/sysconfig/autofs
>> ----
>> LDAP_URI="ldap://srvxxx.domain.net/"
>> SEARCH_BASE="ou=LinuxAutoMount,ou=Resources,dc=domain,dc=net"
>> LDAP_TIMEOUT="100"
>> LDAP_NETWORK_TIMEOUT="100"
>> MAP_HASH_TABLE_SIZE=2048
>
> OK, so BROWSE_MODE isn't set so it = yes by default and you expect the
> mount point directories within what are probably indirect mounts to be
> created or removed, as the case may be, correct?
>
> But they aren't all being created (or removed)?

That's right.

>> /etc/nsswitch.conf
>> ----
>> automount: files ldap
>
> This might make a difference, depending on what file maps exist, but we
> would need a debug log and map examples to reproduce the problem.
>
> What about logging a bug against rhel-6 and working on it there.
>
> Ian

That's what I was thinking. This really looks like a bug. I will post my 
finding to you and the list when this is solved.

Greetings, Richard Smits.

Re: Problem with autofs and ldap

[Ian Kent]

On Tue, 2014-10-21 at 15:27 +0200, rsmits-l wrote:
> >
> > What about logging a bug against rhel-6 and working on it there.
> >
> > Ian
> 
> That's what I was thinking. This really looks like a bug. I will post my 
> finding to you and the list when this is solved.

If you have a subscription then I'd recommend going via GSS since
Bugzilla bugs have the lowest priority for Engineering, bugs that come
via GSS and other support folks using the recommended process get first
priority. But of course you need to convince GSS the problem should be
escalated.

Ian

Re: Problem with autofs and ldap

[Ian Kent]

On Tue, 2014-10-21 at 15:27 +0200, rsmits-l wrote:
> 
> >>
> >> When I do a autofs reload maybe 90 % of the time I see all entry's. I am
> >> having this issue on Redhat 6 and Suse 11. Strange thing is that the
> >> autofs logging (debug) shows always all the entry's but are not
> >> reflected in the filesystem structure.
> >
> > I can't remember now what gets logged for the ldap map reads so how have
> > you established the read gets all the entries (and what rel6 version of
> > autofs are you using)?
> 
> The read gets all the entry's but just doesn't show it in the directory 
> structure. I am having this issue on Redhat 6.5 (autofs 5.0.5-89)

It might be worth checking if the current rhel-6.5 release helps, if you
have access to it.

* Thu May 15 2014 Ian Kent <ikent@redhat.cem> - 5.0.5-89.el6_5.2
- bz1089889 - autofs can ghost non-existent map entries given the right timing
  - fix use cache entry after free in lookup_prune_one_cache().
  - check for non existent negative entries in lookup_ghost().
- Resolves: rhbz#1089889

* Thu Feb 27 2014 Ian Kent <ikent@redhat.cem> - 5.0.5-89.el6_5.1
- bz1067774 - autofs-5.0.5-88.el6 breaks maps that have a -v in the options
  - fix fix options compare.
- Related: rhbz#1067774

* Fri Feb 21 2014 Ian Kent <ikent@redhat.cem> - 5.0.5-89
- bz1067774 - autofs-5.0.5-88.el6 breaks maps that have a -v in the options
  - fix options compare.
- Resolves: rhbz#1067774

Ian